SpyEye Malware Targeting Financial Firms Doubles in 1 Month

The number of financial institutions in Canada that are targeted by the SpyEye malware has more than doubled in one month time from May to June, according to a research by security firm Trusteer.

“Research findings from the Trusteer Situation Room and our anomaly detection service Pinpoint indicate that the number of financial institutions targeted by the SpyEye Trojan is growing,” said Mickey Boodaei, Trusteer CEO.

“In parallel with this, our risk analysis teams have also observed an increase in the number of countries where financial institutions are being targeted by fraudsters using SpyEye.”

Trusteer previously spotted a generic malware downloader first seen on December 2008 called Hiloti that typically downloads other malware such as Zeus and SpyEye to carry out fraud. In mid-June this year, the security firm spotted a SpyEye configuration targeting users of two leading European airline travel Web sites – Air Berlin, the second largest airline in Germany (after Lufthansa) and AirPlus, the global provider of business travel services for companies.

Even though SpyEye seems a lot older, the malware toolkit surfaced less than two years ago in December 2009.

Back to the most recent findings by Trusteer, analysis of the SpyEye command and control centers that its risk analysis team reviews every month revealed that 60 percent of the SpyEye bots have been targeting financial institutions in the US, followed by the UK with 53 percent, Canada with 31 percent, Germany 29 percent, and Australia 20 percent.

“Interestingly enough, the percentage of SpyEye bots targeting Canadian banks has more than doubled from 14% in May to 31% in June,” Boodaei said.

Other destinations that are included in more than 10 percent of SpyEye bots include Italy, Ireland, UAE, Spain, Costa Rica, France, Turkey, India, Jordan, Russia, and Portugal.

SpyEye said it continues to expand its “hit list”.

In May, SpyEye added targets in the Middle East including Saudi Arabia, Bahrain and Oman. While in June, financial institutions in Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru were attacked.

The security firm has also observed that Russia is “a relatively new addition to the target list.”

Trusteer noted that the fraud patterns used by SpyEye are somewhat different than Zeus – and other financial malware.

“Specifically, our risk analysis teams have observed new code being incorporated into SpyEye that is designed to evade transaction monitoring systems,” it said.

Transaction monitoring systems analyze various aspects of the customer’s session with the bank in order to detect abnormal behavior that may be attributed to malware activity.

SpyEye developers seem to have figured the behavior of these defenses and are now trying to ensure their code activity evades these detection systems.

“SpyEye seems to follow Agile software development practices, namely it is flexibly and simply coded, and new configurations are being rolled out as quickly as possible by its developers,” Trusteer said.

“At certain times, we have even seen two new versions of the malware released every week. It’s important to note that there is a large difference between a new version and a simple variant of financial malware,” Boodaei added.

A new version means that the program code itself has been modified, while a new variant is just new packing around the same code.

Boodaei said some of the changes that his firm’s risk analysis teams are seeing include “some very significant improvements to the core SpyEye technology.”

“The author’s ability to rapidly react and improve the software should be a major concern to anyone who already is – and who may be – on SpyEye’s target list.”

It was previously reported that developers of the malware were merging it with that of the older Zeus code.

Trusteer noted that early versions of the malware included a feature to remove Zeus from an infected host machine to ensure that SpyEye is the only financial malware on the infected computer.

“Overall, we are recommending that financial institutions monitor development in the SpyEye toolkit. They should pay close attention to SpyEye attack vectors that target their brand, as well as new SpyEye attacks that target other financial institutions,” Boodaei said.

“The intelligence from this process should be included in the financial institution’s security controls such as anomaly detection and endpoint protection. The ability to react fast to SpyEye’s changes in pattern is, we believe, key to an effective fraud prevention architecture against this dangerous toolkit.

“For US banks, incorporating real-time threat intelligence and anomaly detection from services like Trusteer Situation Room and Trusteer Pinpoint will soon be a requirement under the updated FFIEC Guidance for online banking security.”